Rob, In our environment, we primarily perform 'passive' monitoring, e.g. process up/down, cpu utilization, memory utilization, etc. We have not attempted to use any type of automated script-based remediation due, in part, to the results you described below. Our current implementation of CA NSM in our UNIX/LINUX environments runs as a non-root user. We have seen mixed results. The Sys Admins/Application owners can provide access for the agents to see the processes/log files that are requested for monitoring purposes; however, these are typically overlooked during application upgrades.
I would be interested to know the results of your non-root systemEdge testing. Please keep me posted. Thanks, Michael Zink Network Analyst Information Technology Services 3700 Wake Forest Road Raleigh, NC 27609 919-754-6095 (Phone) 919-850-2827 (FAX) 919-723-7066 (Cell) 919-754-6000 (ITS Service Desk) From: Robert Borowicz [mailto:[email protected]] Sent: Monday, November 21, 2011 5:22 PM To: spectrum Cc: spectrum Subject: Re: [spectrum] vaim 12.6 is now available Mike, We have not tried to install as non-root. I have an outstanding question for the VAIM SE asking "what if" the agent is run as a non-root user, what VAIM functions cease to work. It is common practice to NOT run services such as Apache as root since if compromised, the attacker has root. My thought is that a similar concept would apply to an SNMP agent, however your point is well taken, /var/log/messages is owned by root. There are work arounds however, in that "dmesg" could be run by the agent as non-root. There is also a wealth of info in the /proc subdir world readable. It *would* be best to have the systemEdge agent installed as root/administrator, but managed by VAIM. We could then set any log watch, proc mon (and restart) via the console and know it would have the privs to complete. The flipside of this is, if you deliver a script to be run on the host (and there are ways to do this with VAIM) and your script malfunctions, it does so as "root".... I will be testing non-root systemEdge install in my lab. Regards -Rob On Mon, Nov 21, 2011 at 2:17 PM, Zink, Michael <[email protected]<mailto:[email protected]>> wrote: Craig / Rob, We have this problem as well. We cannot ssh directly as root, requiring 2 sets of credentials. Our Unix teams will not provide root access so we will be providing packages for installation. Rob, our understanding from CA was that the install of sysedge required root access. Access other than root is not ideal since processes and logs owned by root may be missed by the agent for monitoring purposes. Have you experienced differently? Thanks, Michael Zink Network Analyst Information Technology Services 3700 Wake Forest Road Raleigh, NC 27609 919-754-6095<tel:919-754-6095> (Phone) 919-850-2827<tel:919-850-2827> (FAX) 919-723-7066<tel:919-723-7066> (Cell) 919-754-6000<tel:919-754-6000> (ITS Service Desk) From: Robert Borowicz [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, November 18, 2011 5:33 PM To: spectrum Cc: spectrum Subject: Re: [spectrum] vaim 12.6 is now available Craig, I spoke to the Product Manger of VAIM on this at CA World this week. He is a aware that this is an issue at many customers and as such limits the ability of the product to be leveraged to its strength. They are working on this... Theoretically systemEdge (I think) can run as a non-root user, and provided the remote communication protocol (CAM/UDP Port 4104) can open a connection and the credentials you CAN provide at the console can write to the install area on the remote host specified, you *should* be able to install systemEdge with VAIM as non-root. At least in Linux/Unix I'm relatively certain this is possible. Winders is another story. We didn't do any such forethought in my shop, but rather simply sent Unix and Windows packages to SA's to install as root/administrator. Now I need to assimilate these individually installed agents into VAIM. Talking this through with the SE at CA World, it seems possible. -Rob On 11/18/2011 4:01 PM, Craig Cook wrote: I am interested in this as well. It does not look like a deployment can use 2 sets of credentials. e.g. For me to deploy sysedge to a unix host I have to login as a regular user first, then su to root. Root can then install the package. >From what I can see you can only use one set of credentials, ie. Login >directly as root. That is not allowed and not a good idea for security >reasons. If anyone knows a workaround let me know. (I was told by CA this feature was included in 12.6, maybe I am not looking in the correct place) Craig * --To unsubscribe from spectrum, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe spectrum [email protected]<mailto:[email protected]> * --To unsubscribe from spectrum, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe spectrum [email protected]<mailto:[email protected]> ________________________________ E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be disclosed to third parties by an authorized state official. * --To unsubscribe from spectrum, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe spectrum [email protected]<mailto:[email protected]> -- Robert K. Borowicz Austin, Texas * --To unsubscribe from spectrum, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe spectrum [email protected] --- To unsubscribe from spectrum, send email to [email protected] with the body: unsubscribe spectrum [email protected]
